tfa 8.x-1.0-alpha10

ALL SITES ARE RECOMMENDED TO UPDATE to either 8.x-1.0-alpha9 or 8.x-1.0-alpha10. alpha10 includes many changes from alpha8, including multiple code hardening issues, and heavy code refactoring. See Security below.

ga_login: This version also includes the merger with the Google Authenticator login module. The database update code will disable the ga_login module, but you should still remove that module's code from your site.

Existing TFA plugins should all still work as the plugin API was not changed in the 1.x branch.

Drush 10 / PHP 8: If you use Drush 10 and PHP 8, the restored Drush support in this version will break your Drush install. This is a problem that should be fixed by upgrading to Drush 11, since Drush 10 does not support PHP 8.

Security: Issue #3314706 allows an attacker to bypass the user and password check, as long as they have access to an unused TFA verification URL, and to the user's authenticator app. Brute-force attacks while possible, are not feasible as the flood mechanism limits the rate of attempted guesses.

Changes since 8.x-1.0-alpha8:

Code hardening

• #3314706 by jcnventura, weiseng, greggles: TFA link has no access control and no expiry
• #3075304 by Mingsong, jcnventura: Users' recovery codes exposed to admin users
• #3276595 by greggles, jcnventura, eelkeblok: Trusted browser plugin inadvertently includes subdomains in its cookie
• #2957140 by gbirch, weekbeforenext, jcnventura: tfa.entry route permits needless uid enumeration
• #3089172 by arnaudvz, dpi, acbramley, jcnventura, timohuisman, mstrelan: Use specific permissions to edit TFA for other accounts

Improvements

• #2969265 by jcnventura: Make the trusted browser cookie expiration configurable
• #3208224 by jcnventura: Merge ga_login module

Minor bugs

• #3315549 by jcnventura, pandaski: Set an upper limit to TFA Skip Validations
• #3185898 by cantrellnm, oadaeh, jcnventura: TFA login destination defaults to /user/login
• #3263176 by heddn, pflora, jcnventura: TFA 'enabled' config should be boolean
• #3210780 by Bandana, jcnventura: Warning when returning from showing recovery codes
• #3194488 by acbramley, tallytarik, jcnventura, mstrelan: Not possible to administer TFA for another user
• #3261861 by neclimdul, jcnventura: validation_skip_status inconsistent theming
• #3125484 by jibran, sime, jcnventura: Do not allow invalid plugin ID on tfa.validation.setup form
• #3273764 by g.weston, jcnventura: Sanitize for TFA user data is not run on drush sql-sanitize
• #3280911 by bartlangelaan, jcnventura, TVoesenek: Config schema for views tfa_enabled_field missing
• #3266255 by ralphvdhoudt, mkindred, RichardGaunt, StryKaizer, jcnventura: remove use of config->getRawData()
• #3313115 by jcnventura: Rename TFA user tab from 'Security' to 'TFA', and other minor improvements
• #3058122 by marciaibanez, Guilherme Rabelo, maseyuk, jcnventura: Can't remove existing user login block
• #3269415 by kimberlly_amaral, JohanKleene, jcnventura: Untranslated string in TfaTrustedBrowserSetup plugin

Code refactoring

• #3316499 by jcnventura: Refactor the TfaContext into a trait, rename the TfaDataTrait to TfaUserDataTrait
• #3313998 by jcnventura: Remove unneeded trait uses
• #3313986 by jcnventura: Rename trusted browser cookie name setting from 'cookie_name' to 'trust_cookie_name'
• #3313754 by jcnventura: Refactor Basic[foo] form classes to Tfa[foo]Form
• #3300614 by ricovandevin, jcnventura: Drupal 10 readiness: Reuse core's UserLoginForm constructor in TfaLoginForm
• #3313148 by jcnventura: ex-ga_login tests fail coding standards
• #3313122 by jcnventura: Use null coalesce operator instead of ternary operator
• #3313133 by jcnventura: Use Dependency Injection in TfaUserLoginBlock
• #3299305 by Project Update Bot, jcnventura: Automated Drupal 10 compatibility fixes
• #3313116 by jcnventura: Use correct TFA plugin manager class instead of generic PluginManagerInterface in form constructors